Archive
Highlighted

Optiv Treat Intel Splash only two lists get populated

Explorer

Hi all

Well I guess a picture says more than a thousand words, so I will try to show you the problem.

alt text

As you Malc0de and Emerging Threats get populated. The others have an N/A.

If I look in the troubleshooting logs, I'll see this:

[] Script Started at: 11-24-2016 12:42:35 GMT
[
] Script version: 3.00
URL: http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt
Finished retrieving 818 IPs from SpamHaus.
Finished retrieving 23 IPs from Dshield.
Finished retrieving 716 IPs from Feodo.
URL: http://rules.emergingthreats.net/blockrules/compromised-ips.txt
Finished retrieving 1423 Emerging Threats Compromised IPs.
URL: http://www.binarydefense.com/banlist.txt
Finished retrieving 4336 IPs from Binary Defense.
URL: http://malc0de.com/bl/IP_Blacklist.txt
Finished retrieving 262 malc0de_IPs.
URL: https://reputation.alienvault.com/reputation.generic
Forbidden
Access denied!
[*] Executing get alerts script.

If I try to run the optivthreatlists.py manually, I'll get this:

/opt/splunk/etc/apps/optivthreatintel/bin# ./optivthreatlists.py
logfilename: /opt/splunk/var/log/splunk/optivthreatlistsscript11-24-2016-20-29-58.log
[*] Script Started at: 11-24-2016 20:29:58 GMT

[*] Script version: 3.00
URL: http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt
Finished retrieving 818 IPs from SpamHaus.
Finished retrieving 23 IPs from Dshield.
Finished retrieving 716 IPs from Feodo.
URL: http://rules.emergingthreats.net/blockrules/compromised-ips.txt
Finished retrieving 1423 Emerging Threats Compromised IPs.
URL: http://www.binarydefense.com/banlist.txt
Finished retrieving 4370 IPs from Binary Defense.
URL: http://malc0de.com/bl/IP_Blacklist.txt
Finished retrieving 255 malc0deIPs.
URL: https://reputation.alienvault.com/reputation.generic
Forbidden
Access denied!
Traceback (most recent call last):
File "./optiv
threatlists.py", line 883, in
main()
File "./optiv
threatlists.py", line 817, in main
parseAlienVault(raw
threatlist)
File "./optivthreatlists.py", line 703, in parseAlienVault
AlienVaultIPs = urlResults.split('# Generic format')
AttributeError: 'int' object has no attribute 'split'

Any help would be appreciated.

Thank you

Highlighted

Re: Optiv Treat Intel Splash only two lists get populated

Communicator

Dev here. I am getting the same thing. AlienVault changed something with their feed. I am working on a new release to address some issues. In the meantime, try this:

Open optivthreatlists.py
Go to line 817
Comment out the line specified.

raw_threatlist = getUrl(urlList[4].strip('\n'),'true') 
#if len(str(raw_threatlist)) > 3:
    #parseAlienVault(raw_threatlist)

^^^^^Put a hash mark in front of parseAlienVault

Restart splunk. Just tested it and it fixed the issue for me.

View solution in original post

Highlighted

Re: Optiv Treat Intel Splash only two lists get populated

Explorer

Thank you very much. This did indeed help 🐵

alt text

As you can see, it now populates most fields. Off course the AlienVault isn't working. Strangely enough the Binary Defence isn't, but I'll give the splunk search a look.

Again, thank you for your help.

0 Karma
Highlighted

Re: Optiv Treat Intel Splash only two lists get populated

Explorer

One note, if you are working on a new release, I too have the problems mentioned in this thread (https://answers.splunk.com/answers/439382/optiv-threat-intel-after-initial-configuration-get.html). I am able to use the workaround mentioned, by modifying the conf files directly, but It isn't possible to modify this through the Splunk GUI (the changes from the config files aren't shown in the GUI either). This is just FYI 🐵

Have a nice weekend.

0 Karma